2019-05-01_Linux_Format

(singke) #1

Hardware security


ore than a year ago, the Meltdown and
Spectre bugs were revealed to affect
some of the most widely used
processors in the world – and throughout 2018
and even into this year, new variants and threats
based on the bugs have continued to be found.
The vulnerabilities, which appear to be
present in chips from nearly every
manufacturer, enable potential malicious users
to access protected data on a victim’s device,
and exploit speculative execution and caching
features of a CPU. While there have not been
any known attacks using these vulnerabilities,
their existence has caused shockwaves
throughout the technology world – and beyond


  • due to the prevalence of the vulnerabilities.
    Since the revelations about the bugs were
    disclosed, a number of manufacturers moved
    quickly to release patches to mitigate the
    problem.However,thesesoftwarefixesaren’t
    ideal,mainlybecauseMeltdownandSpectre
    affectsfeaturesoftheCPUwhicharedesigned
    toimproveperformance,andapplyingthe
    patchesresultsinanoticeabledegradation.
    AttheendofFebruary2019,opensource
    hardwareexpertsatPhoronixnotedthatLinux
    5.0kernelperformancewasworsethan
    previouskernelreleases(readthefullarticle
    athttp://bit.ly/LXFPhoronixLinux5).This
    isaworryingtrend,askernelupdatesshould
    improveperformance,andsomereaders
    pointedoutthatthisperformanceloss
    correspondswithMeltdownandSpectre
    mitigationsbeingincludedinLinux5.0.


In fact, looking at Phoronix’s
benchmark results, there’s a clear
dip in performance starting from
Linux 4.15, with another large dip
between Linux 4.20 and Linux 5.0.
As Phoronix points out, the
Spectre/Meltdown vulnerabilities
were made public around the
time of Linux 4.14, and in-kernel
mitigations such as PTI and
Retpolines were added – which
supports many people’s fears that if
to be protected against Spectre/Meltdown,
we’re going to have to live with the performance
implications that come with software patches.
Googlehasbeenevenmorepessimistic,

recentlyreleasingananalysisofSpectre
whichcomestotheconclusionthatSpectre-like
vulnerabilitieswillneverbefullyeradicatedby
softwarepatches.Infact,Spectrecould
continuetoimpactprocessorsforthe
foreseeablefuture,whilesoftware-based
mitigationswillhaveanevengreaterimpacton
performance.Readtheentirepaperathttp://
bit.ly/LXFGoogleSpectre.Forthemomentat
least,itlookslikewe’regoingtohavetoaccept
performancehitsasapricetopayforsecurity.

The ramifications of Meltdown and Spectre continue, with Google


suggesting that there will never be a software-based fix.


Can Meltdown and Spectre


bugs ever be fixed?


M


Newsdesk


ThiS iSSUE:Googlehasameltdown Nginxisworthalot


PureOS converges Firefox Send Skype issues EU router rules


spectre will be plaguing processors for
the near future, according to Google.

Image credit: TechRadar

Meltdown andSpectreaffectS


featureS ofthe cpuwhich are


deSignedto iMprove perforMance


6 LXF249May 2019 http://www.linuxformat.com
Free download pdf